Loading

Rockwell Automation Security Advisories

We investigate all internally and externally reported security issues and publish security advisories for all validated security vulnerabilities. These advisories allow our customers and partners to assess the impact of the vulnerabilities and take appropriate action.
Have a Security Concern? SIGN UP FOR ALERTS VULNERABILITY POLICY

Welcome to the new Rockwell Automation Security Advisory portal. Click here to read more about our security advisory initiative.

We recently relocated all security advisories to this public-facing Security Advisory Portal, which is part of Rockwell Automation’s Trust Center. In the past, our security advisories were stored in the Rockwell Automation Knowledgebase and required authentication to obtain access. This new portal gives customers and partners easier access to advisories, which enables them to better manage the security posture of Rockwell Automation solutions.

Our new Security Advisory Portal includes search and filter functionality, enabling customers to more easily find advisories on their products. Security advisories now include Common Security Advisory Framework 2.0 (CSAF) content, a standard that supports automated security advisory ingestion and helps customers intake vulnerability management data faster. Our security advisories also include Known Exploited Vulnerability (KEV) data. The US Cybersecurity & Infrastructure Security Agency (CISA) maintains the authoritative source of vulnerabilities exploited in the wild and lists exploited vulnerabilities in the (KEV) catalog. We strongly encourage customers to use this information to prioritize remediation efforts within their vulnerability management processes.

These changes support our commitment to security and transparency. The legacy Industrial Security Advisory Index page in the Knowledgebase will remain accessible through mid-2024 to allow customers time to transition to the new portal. Customers will continue to receive email alerts based on their subscription preferences and can subscribe for alerts using the link on the Security Advisory portal.
Ordenar y filtrar
CloseClose
CloseClose

Filtrar y refinar

Mostrando
-
de
Resultados
SearchSearch
Ordenar por
Fecha de la última actualización
CVSS Score
Producto
Filtrar resultados
Mostrando
-
de
Resultados
PN1656 | FactoryTalk® View Site Edition Vulnerable to Improper Input Validation (CVE-2023-46289)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® View Site Edition V11.0 v11.0 & v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1655 | FactoryTalk® Services Platform Elevated Privileges Vulnerability (CVE-2023-46290)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform v2.74 V2.80 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1654 | Arena® Simulation Buffer Overflow Vulnerabilities (CVE-2023-27854, CVE-2023-27858 )

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1653 | Stratix® 5800 & 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit) (CVE-2023-20198)

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed.  While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.  This advisory will be updated, as remediation steps become available.

Affected Products

Affected Product First Known in firmware revision Corrected in Firmware Revision
Stratix® 5200, 5800 All versions running Cisco IOS XE Software with the Web UI feature enabled Not Remediated

Vulnerability Details

CVE-2023-20198 IMPACT
Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system. 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. 

CVSS Base Score: 10/10 (high) 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Risk Mitigation & User Action

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems. 

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.
  • Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

Additional Resources

PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure (CVE-2023-29464)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk® Linx v6.20 v6.20 & v6.30 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-29464 IMPACT

FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.

CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1649 | Select Logix Communication Modules Vulnerable to Email Object Buffer Overflow (CVE-2023-2262)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.  This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .

Affected Products

Affected Catalog Series Affected Firmware Version Corrected in Firmware Version
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A, B, C <=5.008 and 5.028 Update to 5.009 and 5.029 or later
D <=11.002 Update to >=11.003 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.002 Update to >=11.003 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 and 5.028 Update to 5.009 and 5.029 or later
B <=11.002 Update to >=11.003 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1648 | Connected Components Workbench™ Vulnerable to CefSharp Vulnerabilities (CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product Affected Versions Corrected in Software Version
Connected Components Workbench™ (CCW) Versions Prior to R21 R21 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVSS Base Score: 9.6/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)
 
Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.

CVSS Base Score: 6.5/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1647 | PanelView™ 800 Vulnerable to CVE-2017-12652 (CVE-2017-12652)

Revision History

Revision Number

1.0

Revision History

Version 1.0 - September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product First Known in firmware revision Corrected in firmware revision
2711R-T10T v3.011 v6.011
2711R-T7T
2711R-T4T

Vulnerability Details

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 9.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
 

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1646 | KEPServer Enterprise Vulnerable to Multiple Vulnerabilities (CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447)

Revision History

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
KEPServer Enterprise v11.00 Expected November 2023

Vulnerability Details

Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation

CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials.

CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments. 

Additional Resources

PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution (CVE-2023-2071)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk View Machine Edition v12.0 v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-2071 IMPACT

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1642 | Pavilion8® Security Misconfiguration Vulnerability (CVE-2023-29463)

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
Pavilion8® v5.17 v5.20

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-29463 IMPACT

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.


If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

  1. Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
  2. Search for the text jmx-console-action-handler and delete the below lines from web.xml file:

      <servlet>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
      </servlet>
      <servlet-mapping>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
      </servlet-mapping>
     
  3. Save the changes and close the file.
  4. Restart Pavilion8® Console Service.
  5. Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.

Note: <FQDN> is your fully qualified domain name used for the Console login.

Additional Resources

PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability (CVE-2022-1737)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 23, 2023

Affected Products

Affected Product First Known in Firmware Version Corrected in Firmware Version
1734-AENT/1734-AENTR Series C <=7.011 7.013
1734-AENT/1734-AENTR Series B <=5.019 5.021
1738-AENT/ 1738-AENTR Series B <=6.011 6.013
1794-AENTR Series A <=2.011 2.012
1732E-16CFGM12QCWR Series A <=3.011 3.012
1732E-12X4M12QCDR Series A <=3.011 3.012
1732E-16CFGM12QCR Series A <=3.011 3.012
1732E-16CFGM12P5QCR Series A <=3.011 3.012
1732E-12X4M12P5QCDR Series A <=3.011 3.012
1732E-16CFGM12P5QCWR Series B <=3.011 3.012
1732E-IB16M12R Series B <=3.011 3.012
1732E-OB16M12R Series B <=3.011 3.012
1732E-16CFGM12R Series B <=3.011 3.012
1732E-IB16M12DR Series B <=3.011 3.012
1732E-OB16M12DR Series B <=3.011 3.012
1732E-8X8M12DR Series B <=3.011 3.012
1799ER-IQ10XOQ10 Series B <=3.011 3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency.  The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities (CVE-2023-2917, CVE-2023-2914, CVE-2023-2915)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 17, 2023

Affected Products

Affected Product Vulnerability First Known in Software Versions Corrected in Software Versions
ThinManager® ThinServer™
  • CVE-2023-2914
  • CVE-2023-2915
  • CVE-2023-2917
  • 11.0.0-11.2.6
  • 11.1.0-11.1.6
  • 11.2.0-11.2.6
  • 12.0.0-12.0.5
  • 12.1.0-12.1.6
  • 13.0.0-13.0.2
  • 13.1.0

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges.   A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability (CVE-2023-2423)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 8, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Armor™ PowerFlex® 1.003 2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Additional Resources

PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service (CVE-2023-2263)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A V13.001 V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700  DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP   connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Additional Resources

PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability (CVE-2023-2913)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in software version Corrected in software version
ThinManager® ThinServer™
  • 13.0.0 - 13.0.2
  • 13.1.0
  • 13.0.3 or later
  • 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Additional Resources

PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules (CVE-2023-3596, CVE-2023-3595)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog Series Versions
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
D <=11.003
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
C <=11.003
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
C <=11.003
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
B <=11.003
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Catalog Series Affected Versions Remediations
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
D <=11.003 Update to 11.004 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003 Update to 11.004 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
B <=11.003 Update to 11.004 or later
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001 Update to 5.002 or later
** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.
  • Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
  • Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
  • Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.
Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:
  • Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
  • disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
  • block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
  • monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:
  • Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
  • Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
  • Arbitrary writes to communication module memory or firmware.
  • Unexpected firmware updates.
  • Unexpected disabling of secure boot options.
  • Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments
Attachments

PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack (CVE-2023-2746)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Enhanced HIM v1.001 v1.002

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability (CVE-2023-2072)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 11, 2023

Affected Products

Affected Product (automated) First Known in Software Revision Corrected in Software Revision
PowerMonitor™ 1000 V4.011 V4.019

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities (CVE-2023-2639, CVE-2023-2637, CVE-2023-2638)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform
* Only if the following were installed:
  • FactoryTalk® Policy Manager v6.11.0
  • FactoryTalk® System Services v6.11.0
 6.11.00 6.30.00

Vulnerability Details

Rockwell Automation received a report from Claroty regarding three vulnerabilities in FactoryTalk® System Services. If successfully exploited, these vulnerabilities may result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version  of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2637  IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638  IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639  IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway (CVE-2021-35940, CVE-2017-12613)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Edge Gateway v1.03.00 v1.04.00

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager (CVE-2023-2778)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Transaction Manager <=v13.10 BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) vulnerability exists in the affected products. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1625 | Inadequate Encryption Vulnerability in ThinManager® (CVE-2023-2443)

Revision History
Revision Number
2.0
Revision History
Version 1.0 - May 11, 2023
Version 2.0 - May 12, 2023 – Updated First Known in Software Version

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
ThinManager ® v13.0.0 and v13.0.1 v13.0.2

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize risk of vulnerability.

Additional Resources

PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities (CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product (automated) First Known in Firmware Revision Corrected in Firmware Revision
ArmorStart® ST 281E v2.004.06 N/A
ArmorStart® ST 284E all N/A
ArmorStart® ST 280E all N/A

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29031 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities (CVE-2019-16748, CVE-2020-36177)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
PanelView™ 800 - 2711R-T4T V5.011 V8.011
PanelView™ 800 - 2711R-T7T V5.011 V8.011
PanelView™ 800 - 2711R-T10T V5.011 V8.011

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.  This is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c.  WolfSSL is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive (CVE-2023-1834)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023

*The manufacturing date of the drive is stated on the product label.		 v7.13 Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default.

CVSS Base Score: 9.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected drives are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customer to implement our suggested security best practices to minimize risk of the vulnerability.

PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint® (CVE-2023-2444)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2444 IMPACT
A cross site request forgery vulnerability exists in the affected product. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.

Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk® Vantagepoint® website, enters credentials for the FactoryTalk® Vantagepoint® server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are also encouraged to implement our suggested security best practices to minimize risk associated with the vulnerability.

Additional Resources

PN1621 | Arena® Simulation – Multiple Vulnerabilities (CVE-2023-29460, CVE-2023-29462, CVE-2023-29461)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 9, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.01

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29460 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution (CVE-2020-6967)

Revision History
Revision Number
1.3
Revision History
Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.


FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family Suggested Actions
FactoryTalk Services Platform V6.31
  • No actions are necessary:
    • Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability.
    • Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

  • Upgrade to FactoryTalk Services Platform V6.31.
  • Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
  • Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
  • For versions that predate v2.74 it is recommended to upgrade to a more recent version.
  • Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
  • If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
  • Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
  • Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

  • Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack (CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 21, 2023 – Initial Version

Executive Summary

A vulnerability was discovered by Tenable Security Researchers and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to potentially perform remote code execution on the target or crash the software.

Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

ThinManager ThinServer software Versions
6.x – 10.x
11.0.0 – 11.0.5
11.1.0 – 11.1.5
11.2.0 – 11.2.6
12.0.0 – 12.0.4
12.1.0 – 12.1.5
13.0.0-13.0.1

Vulnerability Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided, and are encouraged, when possible, to combine these mitigations with the general security guidelines to employ multiple strategies simultaneously.
CVE-2023-27855
CVE-2023-27856
CVE-2023-27857		 First Known Affected Fixed Versions
6.x – 10.x These versions are retired. Please update to the supported version.
11.0.0 – 11.0.5 Update to v11.0.6
11.1.0 – 11.1.5 Update to v11.1.6
11.2.0 – 11.2.6 Update to v11.2.7
12.0.0 – 12.0.4 Update to v12.0.5
12.1.0 – 12.1.5 Update to v12.1.6
13.0.0 – 13.0.1 Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:
  • Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.

References

PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information (CVE-2023-0027)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 16, 2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
    • Customers who do not use the AOI with a controller are not impacted.
    • The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.


CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.
Products Affected First Known Version Affected Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code 2.00.00 This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation (CVE-2020-6998)

Revision History
Revision Number
1.2
Revision History
Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:
  • CompactLogix 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998
Products Affected First Known Version Affected Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011 33.011 and later
Compact GuardLogix 5370 28.011 33.011 and later
ControlLogix 5570 Redundancy 20.054 33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products (CVE-2019-5097, CVE-2019-5096)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – January 27, 2023

Executive Summary

Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096 and CVE 2019-5097. Exploitation of these vulnerabilities could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these vulnerabilities being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number Firmware Version
1732E-8CFGM8R/A 1.012
1732E-IF4M12R/A (discontinued) 1.012
1732E-IR4IM12R/A 1.012
1732E-IT4IM12R/A 1.012
1732E-OF4M12R/A 1.012
1732E-OB8M8SR/A 1.013
1732E-IB8M8SOER 1.012
1732E-8IOLM12R 2.011
1747-AENTR 2.002
1769-AENTR 1.001
5069-AEN2TR 3.011
1756-EN2TR/C <=11.001
1756-EN2T/D <=11.001
1756-EN2TSC/B (discontinued) 10.01
1756-EN2TSC/B 10.01
1756-HIST1G/A (discontinued) <=3.054
1756-HIST2G/A(discontinued) <=3.054
1756-HIST2G/B <=5.103

CVE 2019 -5097

Catalog Number Firmware Version
ControlLogix® 5580 controllers V28 – V32*
GuardLogix® 5580 controllers V31 – V32*
CompactLogix™ 5380 controllers V28 – V32*
Compact GuardLogix 5380 controllers V31 – V32*
CompactLogix 5480 controllers V32*
1756-EN2T/D 11.001*
1756-EN2TR/C 11.001*
1765–EN3TR/B 11.001*
1756-EN2F/C 11.001*
1756-EN2TP/A 11.001*

* The vulnerability is only exploitable via the Ethernet port. It is not exploitable via backplane or USB communications.

Vulnerability Details

Rockwell Automation was made aware of two third-party vulnerabilities that affect the GoAhead embedded web server. A critical vulnerability (CVE-2019-5096) exists in the way requests are processed by the web server. If exploited, a malicious user could potentially leverage this vulnerability to execute arbitrary code   by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score:  9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score:  7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

We encourage customers to apply the recommended mitigations, provided below.
Product Suggested Actions
1732E-8CFGM8R/A Refer to Additional Mitigations
1732E-IF4M12R/A Refer to Additional Mitigations
1732E-IR4IM12R/A Refer to Additional Mitigations
1732E-IT4IM12R/A Refer to Additional Mitigations
1732E-OF4M12R/A Refer to Additional Mitigations
1732E-OB8M8SR/A Refer to Additional Mitigations
1732E-IB8M8SOER Refer to Additional Mitigations
1732E-8IOLM12R Refer to Additional Mitigations
1747-AENTR Refer to Additional Mitigations
1769-AENTR Update to 1.003 or later
5069-AEN2TR (discontinued) Migrate to the 5069-AENTR
1756-EN2T/D Update to 11.002 or later
1756-EN2TR/C Update to 11.002 or later
1756-EN3TR/B Update to 11.002 or later
1756-EN2F/C Update to 11.002 or later
1756-EN2TP/A Update to 11.002 or later
1756-EN2TSC/B Refer to Additional Mitigations
1756-HIST1G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B Update to 5.104 or later
1756-EN2F/C Update to 11.002 or later
ControlLogix 5580 controllers Update to V32.016 or later
GuardLogix 5580 controllers Update to V32.016 or later
CompactLogix 5380 controllers Update to V32.016 or later
Compact GuardLogix 5380 controllers Update to V32.016 or later
CompactLogix 5480 Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, we recommend the following compensating controls to help minimize risk of the vulnerability.
  • Disable the web server, if possible. Please review the corresponding product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
    • For 1732E, upgrade to the latest firmware to disable the web server.
  • Configure firewalls to disallow network communication through HTTP/Port 80.
Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining the security posture of your environment.

References

PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability (CVE-2022-3157)

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a denial-of-service vulnerability that impacts several versions of our GuardLogix® and ControlLogix® controllers. Exploitation of this vulnerability could potentially lead to degradation in availability of the controller and/or a possible major non-recoverable fault (MNRF).

Customers using affected software versions are encouraged to evaluate the mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • CompactLogix™ 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP™ request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected

First Known Version Affected

Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011
  • 33.013
  • 34.011 and later
Compact GuardLogix 5370 28.011
  • 33.013
  • 34.011 and later
ControlLogix 5570 Redundancy 20.054
  • 33.052
  • 34.051 and later

Reference

PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability (CVE-2022-3156)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Vulnerabilities Product Suggested Actions
CVE-2022-3156 Studio 5000 Logix Emulate Customers should upgrade to version 34.00 or later to mitigate this issue.

References

PN1611 | Product Notice 1611: MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 7.5 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

PN1612 | Product Notice 1612: MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution.  The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
CVSS Base Score: 8.2 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack (CVE-2022-3752)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers.  This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device.  Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading  to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Products Affected First Known Version Affected Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580 This vulnerability is present in firmware version 31.011 and later This issue has been mitigated in the following firmware versions:
  • 32.016 and later for versions 32
  • 33.015 and later for versions 33
  • 34.011 and later
Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480 This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability.  This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk.  Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities. (CVE-2021-20094, CVE-2021-20093, CVE-2021-41057)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 6, 2021
Revision History
Revision Number
2.0
Revision History
Version 2.0 - August 11, 2021 – Removed modified score
Revision History
Revision Number
3.0
Revision History
Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG.  These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Activation Manager v4.00 to v4.05.02
    • Includes Wibu-Systems AG CodeMeter v7.20a and earlier
  • Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.


Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-20093 Update to Factory Talk Activation Manager 4.05.03 or later
For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094 Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057 Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a.  Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled.  Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection.  Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products (CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906)

Revision History
Revision Number
5.0
Revision History
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization.  The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC

and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.



Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family Affected Versions CVE-2020-XXXXX
11896
 11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

 1.011-4.011 X X X X X X
5069-AENTR 3.011-4.011 X X X X X X
1734-AENT/R 4.001- 6.012 X X X X X X
1738-AENT/R 4.001- 6.012 X X X X X X
1732E-16CFGM12R
 1732E-8X8M12DR
 1732E-IB16M12DR
1732E-IB16M12R
 1732E-OB16M12DR
 1732E-OB16M12R		 2.011-2.012 X X X X X X
1791ES-ID2SSIR 1.001
1799ER-IQ10XOQ10 2.011 X X X X X X
1794-AENTR/XT 1.011-1.017 X X X X X X
1732E-12X4M12QCDR
 1732E-16CFGM12QCR
 1732E-16CFGM12QCWR
 1732E-12X4M12P5QCDR
 1732E-16CFGM12P5QCR
 1.011-1.015 X X X X X X
1732E-16CFGM12P5QCWR
 1.011-2.011 X X X X X X
PowerMonitor 5000 4.19 X X X X X X X
PowerMonitor 1000 4.10 X X X X X X X
ArmorStart® ST+ Motor Controller 1.001 X X X X X
Kinetix 5500 All* X X X X X X
Kinetix® 5700 All* X X X X X X
Kinetix 5100 1.001 X X X X X X
PowerFlex 755T
PowerFlex 6000T		 All* X X X X X
CIP Safety Encoder All* X X X X X

Begin Update 3.0:
Affected Product Family Affected Versions CVE
1734-AENT/R 4.001- 6.012 CVE-2020-25066
1738-AENT/R 4.001- 6.012 CVE-2020-25066
1794-AENTR
1794-AENTR/XT		 1.011- 1.017 CVE-2020-25066
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 2.011-2.012 CVE-2020-25066
1799ER-IQ10XOQ10 2.011 CVE-2020-25066
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 1.011-1.015 CVE-2020-25066
1732E-16CFGM12P5QCWR 1.011-2.011 CVE-2020-25066
PowerMonitor 5000 4.19 CVE-2020-25066
PowerMonitor 1000 4.10 CVE-2020-25066
End Update 3.0

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0


CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
CVE Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

 For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:
CVE Suggested Actions
CVE-2020-25066 Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.

ICS-CERT has provided additional network mitigations in their public disclosure.

End Update 3.0


Available Fixes:

Update 4.0 May 17, 2022
CVE Affected Product Suggested Actions
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5069-AENTR Apply firmware v4.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT		 Apply firmware v5.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914		 Kinetix 5700 Apply v13 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 PowerFlex 755T
PowerFlex 6000T		 Apply 6.005 or later for PF755T.  Apply R8 or later for PF6000T. (Download)

Update 5.0 November 1, 2022
CVE Affected Product Family Suggested Actions
CVE-2020-25066 1734-AENT/R Apply firmware 7.011 or later.
1738-AENT/R Apply firmware 6.011 or later.
1794-AENTR
1794-AENTR/XT		 Apply firmware 2.011 or later.
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 Apply firmware 3.011 or later.
1799ER-IQ10XOQ10 Apply firmware 3.011 or later.
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 Apply firmware 3.011 or later.
1732E-16CFGM12P5QCWR Apply firmware 3.011 or later.

General Security Guidelines

 Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

PN1607 | New Open SSL Vulnerability

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities (CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446)

Revision History
Revision History
Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of  multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • Stratix 5800 Switches
  • Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Vulnerabilities Suggested Actions
Stratix 5800 switches CVE-2020-3209 Update to Stratix 5800 v.17.04.01 or later
CVE 2020-3211
CVE 2020-3218
CVE 2020-3229
CVE 2020-3219
CVE-2020-3516
CVE 2021-1385
CVE-2021-1446
Stratix 5800 switches CVE-2020-3200 Update to v16.12.01 or later
Stratix 5400/5410 switches CVE-2020-3200 Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack (CVE-2022-38744)

Revision History
Revision History
Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.
Vulnerability Suggested Actions
CVE-2022-38744 Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability (CVE-2022-3158, CVE-2022-38743)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.
Mitigation A Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later.
BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products (CVE-2022-0778)

Revision History
Revision Number
1.1
Revision History
Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
  • FactoryTalk® Linx Gateway (Version 6.30 and earlier)
  • Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
  • Factory Talk View (Version 11.00 - Version 13.00)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
ThinManager This issue has been patched.  Customers should follow the patch instructions as follows:
If using v12.0.0-12.0.2 >> Download v12.0.3
If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.

If an upgrade is not possible or available, customers should consider implementing the following mitigations:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack (CVE-2022-38742)

Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation.  The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software Versions
11.0.0 – 11.0.4
11.1.0 – 11.1.4
11.2.0 – 11.2.5
12.0.0 – 12.0.2
12.1.0 – 12.1.3
13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process.  This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE-2022-38742 Versions Affected Suggested Actions
11.0.0 – 11.0.4 Update to v11.00.05
11.1.0 – 11.1.4 Update to v11.01.05
11.2.0 – 11.2.5 Update to v11.02.06
12.0.0 – 12.0.2 Update to v12.00.03
12.1.0 – 12.1.3 Update to v12.01.04
13.0.0 Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:
  • Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack (CVE-2022-2825, CVE-2022-2848)

Revision History
Revision History
Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2022-2848 Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825


If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products (CVE-2022-1096)

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30		 V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers (CVE-2021-22681)

Revision History
Revision Number
1.4
Revision History
Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.
Product Family and Version Risk Mitigation and Recommended User Actions






ControlLogix 5580 v32 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the followings mitigations are recommended:
  • Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly.
  • If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.



ControlLogix 5580 v31
  • Put the controller mode switch to “Run” mode.I
If the above cannot be deployed, the following mitigations are recommended:
  • Apply v32 or later and follow mitigations actions outlined above.
  • If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are recommended:
  • Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30
ControlLogix 5570 v18 or later
ControlLogix 5560 v16 or later
ControlLogix 5550 v16
GuardLogix 5580 v31 or later
GuardLogix 5570 v20 or later
GuardLogix 5560 v16 or later
1768 CompactLogix v16 or later
1769 CompactLogix v16 or later
CompactLogix 5480 v32 or later
Compact GuardLogix 5370 v28 or later
Compact GuardLogix 5380 v31 or later
FlexLogix 1794-L34 v16
DriveLogix 5370 v16 or later
  • Put the controller mode switch to “Run” mode.
SoftLogix 5800

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • If using v17 or later, utilize the Controller Log feature.
  • If using v20 or later, utilize Change Detection in the Logix Designer Application.
  • If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls.  Including, but not limited to:
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
  • Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
  • Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products.  CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available.  The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security.  See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks (CVE-2022-2463, CVE-2022-2465, CVE-2022-2464)

Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • ISaGRAF Workbench v6.0 though v6.6.9
  • AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Product Suggested Actions
CVE-2022-2463
CVE-2022-2464
CVE-2022-2465		 ISaGRAF Workbench Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463
CVE-2022-2464		 AAdvance-Trusted SIS Workstation Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465 AAdvance-Trusted SIS Workstation It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
  • Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)

Revision History
Revision History
Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability (CVE-2022-2179)

Revision History
Revision History
Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 v. 21.007 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack (CVE-2022-1797)

Revision History
Revision Number
1.4
Revision History
Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix™ 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix® 5580 controllers
  • GuardLogix 5580 controllers
  • CompactLogix 5370 controllers
  • Compact GuardLogix 5370 controllers
  • ControlLogix 5570 controllers
  • GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Version Affected Suggested Actions
CompactLogix 5380 Versions prior to 32.016 Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580
CompactLogix 5370 Versions prior to 33.016 Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570
ControlLogix 5570 Redundancy Versions prior to 33.053 Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.


If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1585 | Logix Controllers May Allow for Unauthorized Code Injection (CVE-2021-22681, CVE-2022-1161)

Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:
Product Structured Text
(ST)		 Ladder Diagrams
(LD)		 Function Block Diagram
(FBD)		 Sequential Function Chart (SFC) Add-On Instructions (AOI)
1768 CompactLogix X Not affected X X X
1769 CompactLogix X Not affected X X X
CompactLogix 5370 X Not affected X X X
CompactLogix 5380 X X X X X
CompactLogix 5480 X X X X X
Compact GuardLogix 5370 X Not affected X X X
Compact GuardLogix 5380 X X X X X
ControlLogix 5550 X Not affected X X X
ControlLogix 5560 X Not affected X X X
ControlLogix 5570 X Not affected X X X
ControlLogix 5580 X X X X X
GuardLogix 5560 X Not affected X X X
GuardLogix 5570 X Not affected X X X
GuardLogix 5580 X X X X X
FlexLogix 1794-L34 X Not affected X X X
DriveLogix 5730 X Not affected X X X
SoftLogix 5800 X Not affected X X X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family Risk Mitigation and Recommended User Actions









ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380
Risk Mitigation A:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Put controller mode switch into Run position
If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilize the Controller Log feature
  • Utilize Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed.  Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port
  • Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
Product Family Risk Mitigation and Recommended User Actions
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

 Risk Mitigation A:
  • Recompile and download user program code (i.e., acd)
  • Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Use the Controller Log feature
  • Use Change Detection in the Logix Designer application
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection (CVE-2022-1159)

Revision History
Revision History
Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation.  This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer.  The attacker can then intercept the compilation process and inject code into the user program.   The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)

Revision History
Revision History
Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:
  • FactoryTalk® Linx Gateway
    • Editions include embedded, basic, standard, extended distributed, professional
    • Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
  • Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
    • Chapter 4 - UA Server Endpoints - Endpoint Properties
    • Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
  • Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
    • Set system policies - Account Policy Settings
    • Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre